We use ECR and have all of our images in our hub account, and make them readable from the prod/stage/dev accounts using a cross account policy.
For S3, it's more complicated because of object permissions and all the insanity that comes with cross-account writing etc.
Edit for more info: No explicit promotion process for containers. Engineers build images in our CI pipeline when their pull request is approved and merged to master, which is pushed to the hub account.
For S3, it's more complicated because of object permissions and all the insanity that comes with cross-account writing etc.
Edit for more info: No explicit promotion process for containers. Engineers build images in our CI pipeline when their pull request is approved and merged to master, which is pushed to the hub account.